Crackmes.de – josamont’s j666

This crackme was published December 2nd, 2014. It is rated “3 – Getting harder. The description reads:

Find the pass

This is the main routine:

The crackme starts by calling sum_up_code, shown next:

This code sums up opcode dwords starting from the beginning of the subroutine, until an opcode dword is less than 804819Ah. The result is stored in code_check_sum. By doing this, the crackme can check for the presence of software breakpoints, which change the code by adding INT 3. I don’t plan on using a debugger, so I ignore this subroutine. Next the password is read by a call to sys_read. The value is then converted from hex to binary using the subroutine hexToInt:

This subroutine starts with an anti patching check: the offset 80480E8 is compared to F3 A6 74 11 – this is the location and opcode for:

F3 A6 repe cmpsb
74 11 jz short loc_80480FD

If you want to patch this check, you also need to patch the check in hexToInt. Since I don’t plan on patching the crackme, I can ignore this check. The rest of the routine is interpreting the password as hex and converting the value to binary, storing the result in password_value. There are two interesting code sequences in hexToInt:

4F dec edi
4B dec ebx
0A 00 or al, [eax]

and

4E dec esi
6F outsd
0A 00 or al, [eax]

The offset of these code snippets is used as the goodboy and badboy message, 4F 4B 00 and 4E 6F 00 decode to the null-terminated strings “OK” and “No” respectively. After hexToInt there is a call to xor_code:

The snippet changes 9*4 bytes starting at offset 80491B8. The routine affects neither our entered password, nor the hidden password. I don’t know what the purpose of this routine is. Finally, we get to the password check:

The check compares four bytes at offset 8048096 to the password that we entered, if they match, we get the “OK” string , otherwise the “No” message (both are hidden in hexToInt. At offset 8048096 we find: